feat: custom ca for caddy (#931)

* fix: send email on transcript page permissions fixed

* feat: custom ca for caddy

server/Dockerfile

@@ -6,7 +6,7 @@ ENV PYTHONUNBUFFERED=1 \
 
 # builder install base dependencies
 WORKDIR /tmp
-RUN apt-get update && apt-get install -y curl ffmpeg && apt-get clean
+RUN apt-get update && apt-get install -y curl ffmpeg ca-certificates && apt-get clean
 ADD https://astral.sh/uv/install.sh /uv-installer.sh
 RUN sh /uv-installer.sh && rm /uv-installer.sh
 ENV PATH="/root/.local/bin/:$PATH"
@@ -18,7 +18,7 @@ COPY pyproject.toml uv.lock README.md /app/
 RUN uv sync --compile-bytecode --locked
 
 # bootstrap
-COPY alembic.ini runserver.sh /app/
+COPY alembic.ini docker-entrypoint.sh runserver.sh /app/
 COPY images /app/images
 COPY migrations /app/migrations
 COPY reflector /app/reflector
@@ -35,4 +35,6 @@ RUN if [ "$(uname -m)" = "aarch64" ] && [ ! -f /usr/lib/libgomp.so.1 ]; then \
 # Pre-check just to make sure the image will not fail
 RUN uv run python -c "import silero_vad.model"
 
-CMD ["./runserver.sh"]
+RUN chmod +x /app/docker-entrypoint.sh
+
+CMD ["./docker-entrypoint.sh"]

server/docker-entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+# Custom CA certificate injection
+# If a CA cert is mounted at this path (via docker-compose.ca.yml),
+# add it to the system trust store and configure all Python SSL libraries.
+CUSTOM_CA_PATH="/usr/local/share/ca-certificates/custom-ca.crt"
+
+if [ -s "$CUSTOM_CA_PATH" ]; then
+    echo "[entrypoint] Custom CA certificate detected, updating trust store..."
+    update-ca-certificates 2>/dev/null
+
+    # update-ca-certificates creates a combined bundle (system + custom CAs)
+    COMBINED_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+    export SSL_CERT_FILE="$COMBINED_BUNDLE"
+    export REQUESTS_CA_BUNDLE="$COMBINED_BUNDLE"
+    export CURL_CA_BUNDLE="$COMBINED_BUNDLE"
+    export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="$COMBINED_BUNDLE"
+    echo "[entrypoint] CA trust store updated (SSL_CERT_FILE=$COMBINED_BUNDLE)"
+fi
+
+exec ./runserver.sh

server/reflector/views/transcripts.py

@@ -700,8 +700,6 @@ async def transcript_post_to_zulip(
     )
     if not transcript:
         raise HTTPException(status_code=404, detail="Transcript not found")
-    if not transcripts_controller.user_can_mutate(transcript, user_id):
-        raise HTTPException(status_code=403, detail="Not authorized")
     content = get_zulip_message(transcript, include_topics)
 
     message_updated = False
@@ -733,17 +731,15 @@ class SendEmailResponse(BaseModel):
 async def transcript_send_email(
     transcript_id: str,
     request: SendEmailRequest,
-    user: Annotated[auth.UserInfo, Depends(auth.current_user)],
+    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
 ):
     if not is_email_configured():
         raise HTTPException(status_code=400, detail="Email not configured")
-    user_id = user["sub"]
+    user_id = user["sub"] if user else None
     transcript = await transcripts_controller.get_by_id_for_http(
         transcript_id, user_id=user_id
     )
     if not transcript:
         raise HTTPException(status_code=404, detail="Transcript not found")
-    if not transcripts_controller.user_can_mutate(transcript, user_id):
-        raise HTTPException(status_code=403, detail="Not authorized")
     sent = await send_transcript_email([request.email], transcript)
     return SendEmailResponse(sent=sent)